>does anyone know if there are plans to support multiple required
>authentications in openssh any time soon? I believe there's a patch that does
>that, but I haven't been able to find any mention of when or whether something
>like that might make into a regular release.
You can do that now if you have PAM support in your OS and compile it in. You
can then stack authentication. For clients that support mulitple password
prompts (called PAM authentication in some clients), it works great. I use this
to authenticate against the local password file as well as requiring a SecurID
token--using a SecurID pam module I wrote.
The reason the client has to support PAM authentication, is the original ssh v1
clients did the prompting and sent the input to the server. For these clients,
when you see [EMAIL PROTECTED]'s password: it is the client printing the
prompt and reading the input, not the server.
The clients in the latest OpenSSH now support this when the server has PAM and
wants to send prompts and request input. If I remember properly, for ssh.com
v2.x clients, you can get this functionality by adding pam to the list of
allowed authentication protocols in the ssh_config file. You will have to look
at the documentation for the actual name to use. I don't think it is simply
pam. Many of the latest windows clients also allow remote prompting.
If you do request multiple authentications that require prompts, be aware that
older clients will fail since they don't understand receiving prompts from the
server.
Hope this helps.
--Dave
PS. Of course this doesn't allow you to do pubkey + passwd as listed in the
Suject. To get that using what I described, you would have to hack the code or
devise a pubkey PAM module.
--
David Knight French
Black Mountain Computer Consulting
Voice: (858)573-2959
Email: [EMAIL PROTECTED]
